[Rdo-list] Quick tip: while logging/investigating SELinux issues

Kashyap Chamarthy kchamart at redhat.com
Tue Jan 7 17:34:04 UTC 2014

I usually try these when I hit SELinux issues, thought
I'd quickly share here.

  # Enable SELinux
  $ setenforce 1

  # Clear the audit log (so only relevant messages can be analysed later)
  $ > /var/log/audit/audit.log

  [Perform your offending test]

  # Show a reference policy
  $ cat /var/log/audit/audit.log | audit2allow -R

And, if you're feeling more adventurous, you can even generate
an SELinux reference policy and re-test it:

e.g. If you see Neutron issues from the previous command,
     you can try

  # Generate an SELinux loadable module package
  $ audit2allow -a -M neutron

  # Install the Policy Package
  $ semodule -i neutron.pp

  # Restart neutron-dhcp-agent again
  $ systemctl restart neutron-dhcp-agent

See if it alleviates your problem.



More information about the dev mailing list